('binary' encoding is not supported, stored as-is) In-Reply-To: <007201c361df$c311f0c0$329f8018@youru10ixi0anw> Does anyone know what the guid for this control is? I don't have it on XP with Visual Studio 6 installed. Could this be the same as the Microsoft Multimedia Control, aka MCI32.OCX? Cheers, ~ol > Microsoft MCWNDX.OCX ActiveX buffer overflow > ================================================= > > PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW >HOMEPAGE: www.microsoft.com >VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with Visual Studio 6 to >support multimedia programming. > > DESCRIPTION > ================================================= > > MCWNDX is an activeX shipped with Visual Studio 6 to >support multimedia programming. Although not many people use it anymore, >however it still can be called through CLSID in a website and passing a >large amount of data to the activex will cause an buffer overflow. > >Since this Activex is only shipped with VIsual Studio 6.0, so only >people who are having Visual Studio 6.0 will be affected or people >who are still using old multimedia programs coded in Visual Studio 6.0 >(In my PC, the last date the ActiveX is patched is in 1996 ! I am using >VS Sp 4) > > > DETAILS > ================================================= > The ActiveX has a property called "Filename" which is used to specify >the .mci file to load. However if it is passed with a very large >string(640KB >is good enough :-) ), it will cause a bufferoverflow. (I can't overwrite the >EIP using this overflow in my XP, however it doesn't mean the problem can't >be exploited) > >Microsoft has been noticed but since the hole is maybe minor to them so >they don't response to me even a short sentence like "Thank you !" > > > > WORKAROUND > ================================================= > > Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are >using 2000 or XP or in your SYSTEM directory if you are using WIN ME or >below > > >CREDITS > ================================================= > > Discovered by Tri Huynh from Sentry Union > > > DISLAIMER > ================================================= > > The information within this paper may change without notice. Use of > this information constitutes acceptance for use in an AS IS condition. > There are NO warranties with regard to this information. In no event > shall the author be liable for any damages whatsoever arising out of > or in connection with the use or spread of this information. Any use > of this information is at the user's own risk. > > > FEEDBACK > ================================================= > > Please send suggestions, updates, and comments to: trihuynhat_private > > >
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 11:31:26 PDT